Username lists

Generic Wordlist

ls /usr/share/seclists/Usernames

cirt-default-usernames.txt              README.md
CommonAdminBase64.txt                   sap-default-usernames.txt
Honeypot-Captures                       top-usernames-shortlist.txt
mssql-usernames-nansh0u-guardicore.txt  xato-net-10-million-usernames-dup.txt
Names                                   xato-net-10-million-usernames.txt
locate names.txt

/opt/useful/SecLists/Usernames/Names/names.txt
LogoSecLists/Usernames at master · danielmiessler/SecListsGitHub
Logowordlist/usernames.txt at master · jeanphorn/wordlistGitHub

Unix

ls /opt/tools/metasploit-framework/data/wordlists/ | grep unix    

unix_passwords.txt
unix_users.txt

Windows

LogoGitHub - insidetrust/statistically-likely-usernames: Wordlists for creating statistically likely username lists for use in password attacks and security testingGitHub
jsmith.txt and a lot of usefull usernamelist like service-accounts.txt test-accounts or top-formats.txt
/opt/tools/metasploit-framework/data/wordlists/namelist.txt

AD User Naming Convention

joe.smith
jmith
joesmi
https://activedirectorypro.com/active-directory-user-naming-convention/activedirectorypro.com
Username Convention
Practical Example for Jane Jill Doe

firstinitiallastname

jdoe

firstinitialmiddleinitiallastname

jjdoe

firstnamelastname

janedoe

firstname.lastname

jane.doe

lastname.firstname

doe.jane

nickname

doedoehacksstuff

Often, an email address's structure will give us the employee's username (structure: username@domain). For example, from the email address jdoe@inlanefreight.com, we see that jdoe is the username.

A tip from MrB3n: We can often find the email structure by Googling the domain name, i.e., “@inlanefreight.com” and get some valid emails. From there, we can use a script to scrape various social media sites and mashup potential valid usernames. Some organizations try to obfuscate their usernames to prevent spraying, so they may alias their username like a907 (or something similar) back to joe.smith. That way, email messages can get through, but the actual internal username isn’t disclosed, making password spraying harder. Sometimes you can use google dorks to search for “inlanefreight.com filetype:pdf” and find some valid usernames in the PDF properties if they were generated using a graphics editor. From there, you may be able to discern the username structure and potentially write a small script to create many possible combinations and then spray to see if any come back valid.

Custom wordlist

$ ./username-anarchy -i /home/ltnbob/names.txt
username-anarchy John Marston          

john
johnmarston
john.marston
johnmars
johnm
j.marston
jmarston
mjohn
m.john
marstonj
marston
marston.j
marston.john
jm
./username-anarchy Bill Gates > bill.txt

Also with only one user, we can extract the list of all users - See Netexec - CME and SMB (445, 139)

PreviousPassword listsNextKraken - All-in-One Tool

Last updated